A DMARC record is a DNS TXT record for a subdomain named _dmarc on any senderdomain.

DMARC records can be placed on the organisational domain as well as on subdomains. A subdomain that has no DMARC record inherits its DMARC record from the organisational domain. It is recommended to place a DMARC record on every organisational domain.

Example:

# host -t txt _dmarc.senderdomain.TLD
_dmarc.senderdomain.TLD descriptive text "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.mailmike.net; ruf=mailto:dmarc@dmarc.mailmike.net; rf=afrf; pct=100;"

Policy

The main purpose for DMARC is to set a policy (p). This policy contains the action that should take place when unauthenticated mail from this domain is received (and in no other case). The options are:

• none: to do nothing when authentication fails
• quarantine: to put the mail in the SPAM folder when authentication fails
• reject: to the message when authentication fails.

Only by using the reject policy can a domain be fully protected. "Unauthenticated" means, SPF and / or DKIM do not align.

Alignment

Alignment means, domains used for authentication mechanisms match with the sender domain (RFC5321.MailFrom or "returnpath").

• The domain used to authenticate SPF is the RFC5322.From domain or "sender domain". To see SPF identifier aligment, it's required for the RFC5321.MailFrom domain to match the RFC5322.From domain.
• The domain used to authenticate DKIM is the domain used by the sending mail server to sign DKIM. To see DKIM identifier aligment, it's required for the domain used to sign DKIM to match the RFC5322.From domain.

Reports

A secondary functionality of DMARC enables ISPs to send reports about the authentication success or failure for a domain. Those reports are sent to the addresses defined in two switches:

• rua: aggregated reports (recommended)
• ruf: forensic reports (not recommended)

Useful links

• RFC 7489 - DMARC
• dmarc.org: Functionality of DMARC
• inboxsys.com: DMARC explained